The Morristown, VT-based healthcare provider, Lamoille Health Partners, is facing a class action lawsuit over a June 2022 ransomware attack that affected almost 60,000 of its patients.
The attack was detected on June 13, 2022, with the investigation confirming the attackers gained access to its network the previous day. Before file encryption, the attackers potentially accessed or acquired documents from its systems that contained names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information.
On or around August 11, 2022, notification letters were sent to affected individuals, and complimentary identity protection and credit monitoring services were offered to patients whose Social Security numbers were potentially stolen. Lamoille Health Partners said the delay in issuing notification letters was due to the length of the investigation to establish which individuals had been affected and the types of information involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 59,381 patients.
As is now common following healthcare data breaches, legal action is being taken by patients who had their protected health information exposed. The lawsuit alleges Lamoille Health Partners failed to implement appropriate safeguards to ensure the confidentiality of the protected health information stored on its systems, in violation of the HIPAA Security Rule. The plaintiff – Patricia Marshall – says the negligence of Lamoille Health Partners means her sensitive information is in the hands of cybercriminals and she and the class members face an imminent and ongoing risk of identity theft and fraud.
The lawsuit also alleges there was an unnecessary delay in issuing notification letters to affected individuals, even though notification letters were sent within the 60-days allowed by the HIPAA Breach Notification Rule. The lawsuit – Marshall v. Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, and seeks compensatory damages for the plaintiff and class members, and injunctive relief, requiring Lamoille Health Partners to implement further security measures to better protect patient data. The plaintiff is represented by Burlington, VT, lawyer Matthew B. Byrne of Gravel and Shea.
The post Lamoille Health Partners Facing Class Action Lawsuit Over 58K-Record Data Breach appeared first on HIPAA Journal.